Tag: Incident Response

In our last post, we took a look at traditional security incident response vs. the possibility to dramatically increase security velocity (which I affectionately nicknamed “spacefolding”).

We viewed this through the lens of a conventional response timeline that can take hours and days — versus seeing into exactly what occurred and decreasing the Mean Time-To-Know (MTTK) for a security incident — because all of the relevant information is visible and available to you.

I recently added a Starz subscription to my Amazon Prime and found a new supply of science fiction movies. One of these, Deja Vu, is a time travel story from a decade ago; a weird mashup of the post-9/11 terror attack genre mixed with science fiction. In the film, a terror attack takes place in New Orleans and a small army of government men-in-black from various state and Federal agencies respond. Because the attack involved a ferry, the NTSB and FBI collaborate along with elements of the ATF, including a talented investigator played by Denzel Washington.

Dr. Watson is the intellectual and gentlemanly sidekick of fictional detective Sherlock Holmes. With Watson at his side, Sherlock is able to better navigate the complexities of human emotion (not his forte), so Sherlock leans on Watson, and understandably so. They make a good pair.

But while Watson is able to solve the odd mystery himself, only the highly observant Sherlock, with his machine-like analytical mind, is able to produce the insight needed to crack their toughest cases.

You can think of cloud security in the same way. A basic cloud security system will probably alert you to many of the biggest, most obvious attacks. But without sufficient context, you won’t be able to see the full scope of impact. You won’t know where it has spread in your system or what kind of damage it has done. Even if you manage to stop it in one area, you may not succeed in defeating it, and the ramifications can be distressing.

What if one day you came home and a bunch of your valuables had been stolen: computers, jewelry, that big screen TV… When you call the police to report the burglary, the first thing they will ask for to begin the investigation is context:

What time did it happen?

Was there a break-in? If not, who had keys to your house?

Where were your valuables being stored?

The more information they have, the better the chances they they will track down the culprit and get your stuff back. Now, if you have a home surveillance system set up—say, a Dropcam or Canary —they’re going to have even more information to work with: timestamps, video footage, audio, etc.

All in all – the more context you have, the better. The same applies to cloud security. When something goes awry, context is what guides you about what to do, where to start investigate, who’s at fault?

Right on the heels of traveling out to Monitorama in Portland, OR, we will be making a splash at BSides Boston. Having been to several BSides events across the country in the past, we’re excited to immerse ourselves in this one — and right in our own backyard!

Mark Thomas and Bill Young of Threat Stack will be speaking at BSides, expanding the local security community on topics of cloud security monitoring and operations security.